Plaintiff's law firm issued a press release on October 11, 2018, announcing the lawsuit. According to the press release, Alphabet was incorporated in 2015 and is the parent company of its leading subsidiary Google Inc. (“Google”), among others. Alphabet, through its subsidiary Google, operates a social networking website called “Google+” that allows people to communicate with their family, friends, and coworkers. Google+ users ostensibly have the ability to share and restrict the sharing of personal information according to their preferences by changing privacy settings.
Between 2015 and March 2018, a software glitch in the Google+ website permitted outside developers to access the personal profile data of Google+ members who had not opted to permit their data to be shared publicly. Defendants discovered this glitch in March 2018, ran tests to determine the impact of the glitch, and determined that the data of nearly half of a million users had been exposed to third parties. Google’s legal and policy staff drafted a memorandum regarding the security failure and shared it with senior executives. The memorandum warned that disclosing the incident would likely trigger “immediate regulatory interest.” Google’s CEO was briefed on the plan not to notify users after an internal committee had reached that decision.
The Complaint alleges that throughout the Class Period, Defendants made materially false and misleading statements regarding the Company’s business, operational and compliance policies. Specifically, Defendants made false and/or misleading statements and/or failed to disclose that: (1) the Company’s security measures had failed recently and massively, as Google had exposed the private data of hundreds of thousands of users of Google+ to third parties; (2) damage to the Company’s reputation and operating results and loss of customers from this failure of the Company’s security measures were imminent and inevitable; (3) the Company’s security protections did not shield personal user data against theft and security breaches; and (4) the Company’s security measures had been breached due to employee error, malfeasance, system errors or vulnerabilities.